The Department of Health and Human Services breach reporting tool recently added 13 separate filings from anesthesia practices across the U.S., stemming from a “data security incident” at the covered entities’ management company. In total, the compromise involved the protected health information of 380,104 patients.
The HHS tool appears to center on entities tied to New York-based Resource Anesthesiology Associates and Anesthesia Associates, including sites in El Paso, California, Washington, Palm Springs, Lynbrook, Hazleton, Fredericksburg, Bronx, San Joaquin, and Maryland. Upstate Anesthesia Services is also listed.
It’s currently unclear the name of the management company. A dive into how, or whether, these providers are connected found just one breach notice from Anesthesia Associates of El Paso PA, “an anesthesia provider to a local healthcare facility.”
The breach notification shows the incident occurred on July 15, 2022 at “its management company.” No further details are shared as to the entity behind the incident, or the threat behind the compromise.
However the incident occurred, it appears that protected health information stored in the management company’s system was impacted during the event, which included patient names, contact details, health insurance policy numbers, Social Security numbers, payment data, and health information, such as treatments and diagnoses.
The entities involved have since improved security controls to better “secure the system and protect patient information.”
OakBend Medical patients targeted by email schemes after ransomware attack
Three weeks after falling victim to a ransomware attack and data exfiltration incident, OakBend Medical Center reported the recovery team restored its network and clinical systems brought offline in the wake of the attack.
OakBend brought the systems back online on Sept. 30, with some replacement processes being utilized as it finished recovering the impacted systems. One week later, the Texas provider began warning patients that third-party actors were targeting individuals with email schemes, with themes tied to the ransomware incident.
As SC Media previously reported, OakBend Medical took its network offline and launched electronic health record downtime procedures in response to a ransomware incident deployed on Sept. 1. Two weeks later, the systems remained down as the team worked to rebuild the affected systems.
Officials quickly confirmed that the Daixin threat group claimed responsibility for the attack, posting data proofs on the dark web that contained more than 1 million records allegedly stolen from the hospital prior to the ransomware deployment.
But now patients are facing further risks, as an Oct. 7 notice shows patients are receiving emails designed to appear as if sent from OakBend in regards to the data and system impacts. Hospital officials are warning patients that “all verified information regarding system updates, investigative findings, and next steps will continue to come directly from the office through email updates and website postings.”
On Oct. 11, officials added that the forensic investigation is ongoing and has not determined the extent of the data theft, nor who was affected. Patients have been asked to send the hospital the fraudulent emails for analysis. OakBend is offering all patients 18 months of credit monitoring to support fraud prevention.
6 months after data theft, CSI Labs reports another PHI breach
Nearly 245,000 patients with ties to CSI Laboratories were recently notified that their data was compromised after a phishing incident gave a threat actor access to a single employee email account.
The notice comes just six months after the Georgia-based cancer testing and diagnostics laboratory reported falling victim to a February cyberattack that led to IT disruptions and the exfiltration of data tied to 312,000 patients, such as names, patient case numbers, dates of birth, addresses, medical record numbers, and health insurance information.
The latest security incident was discovered on July 8, which led the security team to promptly isolate the affected email account and launch an investigation. The forensic evidence shows the phishing attack appeared designed to commit financial fraud on other entities by redirecting customer payments from health providers to an account controlled by the actors using a fictitious email address.
“The invoices were not directly billed to patients. Thus, we believe that the malicious actor was seeking to divert invoice payments,” rather than to access patient data, according to the notice.
However, the investigation determined on July 15 that the hacker indeed acquired “certain files from the affected employee mailbox, including documents that may have contained patient information.” The discovery prompted a new analysis to determine the scope and impact on patient information.
The exfiltrated data was found to involve invoices sent to CSI healthcare provider customers, which varied by invoice. The information “generally” contained patient names and numbers, as well as dates of birth and health insurance information. No patient financial data was compromised.
CSI stressed that the incident was limited to a single email inbox, and its network and IT systems were not impacted by the event. Employees have since received additional phishing-related awareness and training, as CSI works to improve its enterprise security to prevent a recurrence.
Aesthetic Dermatology hack leads to data access for 34K patients
The personal and protected health information of 33,793 Aesthetic Dermatology Associates patients was accessed during a systems’ hack in August.
It should be noted that an industry advisory shows the BianLian threat group has posted a data listing allegedly tied to Aesthetic Dermatology Associates. However, the provider’s notice purports there’s been no evidence of data misuse.
The official notification shows that suspicious activity was discovered on Aug. 15, which prompted an investigation with support from a computer forensics specialist. The analysis discovered an attacker accessed its network systems, some of which contained personal information.
A review of those files confirmed PHI was accessed during the hack, which included patient names, diagnosis codes, dates of birth, contact details, and health insurance information. SSNs were not involved.
Aesthetic Dermatology has since secured the affected systems and plan to implement additional safeguards to prevent another incident.
Magellan Rx Management reports third-party vendor incident
Magellan Rx Management recently informed 13,663 TennCare patients, who leverage MRx for pharmacy benefit services, that their data was compromised after the hack of an email account belonging to its former auditing vendor NorthStar. MRx provides healthcare delivery and pharmacy management services to managed care entities, health plans, and and other third-party administrators.
NorthStar previously disclosed its April email hack in early September, where a threat actor gained access to a single employee email account and accessed or stole Medicaid data tied to the Georgia Department of Community Health. About 18,354 members were affected by the incident.
The incident was first detected on April 20, but MRx was not notified by NorthStar until July 25. The investigation determined the attacker had access to the account for more than two months between February 5, 2022 and April 17, 2022. During the dwell time, the actor accessed the account, but the investigators could not verify what, if any, data was accessed or acquired.
For MRx, the account contained the personal data of patients enrolled in health plans serviced by MRx. The notice suggests NorthStar’s investigation is ongoing, which could account for the delay in notifying patients. And “although NorthStar is no longer an MRx vendor, MRx has processes in place to ensure that its vendors safeguard personal information within their possession.”
The incident joins an earlier email compromise reported by MRx’s parent company Magellan Health in the last three years. Several weeks ago, Magellan Health settled a breach lawsuit for $1.43 million with the 270,000 patients whose data was compromised during a months-long hack of an employee email account in the Spring of 2019.
Cardiac Imaging Associates reports email hack from April
An undisclosed number of patients tied to Cardiac Imaging Associates are just now learning that their data was compromised after the hack of an internal email account in April. CIA is a medical imaging services vendor for healthcare providers.
Under the Health Insurance Portability and Accountability Act, breach notices should be sent to patients within 60 days of discovery and not at the close of an investigation. According to its notice, it appears that CIA’s delay was due to its investigation only recently being closed.
Upon discovering the email intrusion, the account was secured. A subsequent investigation determined the threat actor had access to the account for a week between March 30 and April 6. The forensic analysis could not determine whether the actor viewed the emails or attachments within the accounts, which prompted a “thorough and time-intensive review of the contents of the email accounts.”
The compromised data varied by patient and could include names, SSNs, dates of birth, driver's licenses, financial account and payment card information, medical diagnoses, conditions, lab results, treatments, and prescriptions. It’s possible the data was accessed or acquired.
CIA has since enhanced its security, as it reviews its existing policies and procedures and implements internal training protocols to mitigate possible risks.